Security headers checker
Paste a URL. Get a grade from A to F plus per-header fix guidance for Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-* headers, and the legacy X-XSS-Protection.
Free. No signup. Rate-limited to 30 checks per IP per hour. Same grading logic as our main scanner's security agent — including the strict-dynamic CSP upgrade recognition that most public checkers get wrong.
Five common security-header mistakes
CSP with unsafe-inline but no strict-dynamic. Configuring a CSP without the nonce/hash upgrade leaves the script-src wide open. The tool flags this as a HIGH severity fail; the modern fix is a per-request nonce.
HSTS too short.max-age below 31536000 (1 year) is below the HSTS preload-list threshold. Some sites set max-age=300 thinking it's safer; in practice it just means the browser forgets HTTPS enforcement five minutes after each visit.
No clickjacking protection.Missing BOTH X-Frame-Options AND CSP frame-ancestors. Your site can be loaded in an attacker's iframe with a transparent overlay to steal clicks.
Referrer-Policy leaks URLs. Default browser behaviour today is fine, but explicitly setting unsafe-url or the deprecated no-referrer-when-downgrade sends full URLs (with query strings — often containing tokens or PII) to every third-party site your users navigate to.
X-XSS-Protection still enabled. The legacy header was removed from Chrome in 2019 due to universal-XSS bypasses. Having it set to anything other than 0 is a misconfiguration; modern browsers ignore it and CSP is the replacement.
Common security-header questions
What are security headers and why do they matter?
Security headers are HTTP response headers that tell the browser to enforce specific protections — block clickjacking, enforce HTTPS, restrict cross-site script execution, control how user data leaks to third parties. Missing or misconfigured security headers don't cause visible bugs, but they make your site easier to attack and (for high-value targets like banks / fintech / healthcare) can fail compliance audits.
Which security headers are most important?
In priority order: Content-Security-Policy (XSS protection), Strict-Transport-Security (HSTS, blocks SSL-stripping), X-Frame-Options or CSP frame-ancestors (clickjacking), X-Content-Type-Options (MIME sniffing), Referrer-Policy (data leakage to third parties). The first three are the most consequential; the rest are belt-and-braces.
My CSP has "unsafe-inline" — is that bad?
It depends. Plain unsafe-inline negates most of CSP's XSS protection. BUT if your CSP also has 'strict-dynamic' + a per-request nonce or hash, modern browsers (Chrome 52+, Firefox 49+, Safari 15.4+) actually IGNORE unsafe-inline — it stays only as fallback for older browsers. This tool recognizes the strict-dynamic upgrade pattern and doesn't flag it.
Do I need both X-Frame-Options AND CSP frame-ancestors?
frame-ancestors is the modern replacement. If you have it, X-Frame-Options is optional (legacy-browser fallback). But if you have X-Frame-Options only, you're missing modern-browser protection — older versions of Chrome / Firefox / Safari accidentally allow framing when X-Frame-Options conflicts with other CSP rules. Best: set both, or migrate fully to CSP frame-ancestors.
Is X-XSS-Protection still useful?
No. The Chrome team REMOVED the XSS Auditor in 2019 because of bypasses + universal-XSS issues. Modern browsers ignore the header. Set X-XSS-Protection: 0 (explicitly off) or just remove it; rely on CSP for XSS protection.
What's a good HSTS configuration?
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload. 1 year max-age, all subdomains included, and submit your domain to https://hstspreload.org so it ships in Chrome / Firefox / Safari's hardcoded preload list. Start with a shorter max-age (e.g. 1 day) until you're confident HTTPS is stable across all hosts.
Want the full audit, not just security headers?
A Seoxpert scan checks security headers plus 230+ other signals across SEO, performance, AI search readiness, and EU privacy compliance. Free first scan.
Hreflang checker · Schema validator · Open Graph preview · Full coverage